We've also seen that the governmental attacks are sophisticated because they don't want it to be detected or used by an enemy. The NSA attacks were things like intercepting specific hardware shipments or network links – which reduces the number of people who could possibly notice the problem – or getting people to use a random number generator which only they have the key to reverse[1].
In contrast, this is a textbook example of a sloppy developer who doesn't understand security but is writing network facing code which is never properly audited, and it's consistent with the number of other bugs mentioned.
Saying that it might be a government is like saying that because the CIA has killed people every pedestrian hit by a drunk driver is probably an assassination.
I would say that if people on HN are saying the attack is too stupid to be government supported, then the government has succeeded at their primary goal of having plausible deniability with these issues.
If we take recent history, we now have hard evidence of all sorts of conspiracy theory type stuff being absolutely true. With that in mind, do we just keep defaulting to 'not government' every time there's a deliberate backdoor identified? Sounds like a great way to maintain the status quo and ensure that no action is ever taken to curb this.
> this is a textbook example of a sloppy developer who doesn't understand security
Your argument is that because one thing which some people considered a conspiracy theory, but most experts did not, was true we should believe all of them?
Yes, there’s a hardcoded password. The field has a long history of people adding those to make support easier, and I’d bet a lot more that that password means someone with that name worked on the mydlink project than that the NSA put it there, just as most burglaries are routine crime even if the CIA or FBI has been known to quietly bug houses.
In contrast, this is a textbook example of a sloppy developer who doesn't understand security but is writing network facing code which is never properly audited, and it's consistent with the number of other bugs mentioned.
Saying that it might be a government is like saying that because the CIA has killed people every pedestrian hit by a drunk driver is probably an assassination.
1. https://blog.cryptographyengineering.com/2013/12/28/a-few-mo...